I simply don't confirm the password (or email). The overwhelming majority of people are going to type it properly, as substantiated by my failed login stats (less than 1%). For the remaining 1%, I'll concentrate on recovering from their error easily rather than depressing conversion among ALL users by making the signup form two fields longer. (And, ahem, if all of them were to get frustrated and abandon their trial, well, 1%.)
Edited to add: Context for why that number is so low: The vast majority of my trial users are up-or-out within 3 days, and since I default to setting a 2 week "remember me" cookie, typically only my most interested users ever have to type their password ever again.
By the way, you would be astonished how many users I have think they cannot type their school email address from their home computer and vice versa.
Back in the day when I wasn't using keepass and just had 2-4 passwords I regularly used (one for sites I considered safe... and then a couple more for unsafe sites), I found that seeing my password in plain text on the screen was really unsettling. Even if I was home alone and there was no chance of anyone looking over my shoulder, it just felt so... unsafe.
I wonder if other people have a similar reaction.
Might be better to make users type in the password a second time rather than give them a queasy feeling in the pit of their stomach.
(The ####### protects against someone peeking over their shoulder the exact instant they register, who wants to steal their password. It's not really very plausible and certainly not worth the hassle.)
If, first, we could rid the world of the many many sites out there that actually make you type your email or username twice, the world would be vastly improved. Not that the article isn't interesting.
That's what I thought, but on my site, I'd say about 5% of people make a typo on their email address. Now I am probably going to join the "confirm email" club.
But does typing the email address twice, on the same form a mere 20 pixels from where you previously typed in full view of the previous entry, actually bring out corrections? If you mistype it the same way twice, you may not notice that you mistyped it, as both fields will look the same. For password fields, where the input is hidden/obscured, the double entry makes some sense (ignoring the UI issues/possibilities outlined in the OP), but with email addresses, it seems less so. I'd be interesting in hearing stats after you make a change.
Also, are the typos you've seen more often in the LHS or the RHS (of the @) in the email address? The RHS is relatively easy to spot check, by doing an MX and A DNS lookup to see if the domain exists -- you'll check actual delivery later. I've found this to be more robust than regular expressions that attempt to "validate" email addresses (see HN postings from earlier today) and assume a fixed size on the RHS, and are often overly aggressive in trying to detect "illegal" characters on the LHS, like +, which is not actually an illegal character.
One option might be to not ask for a password at all and auto generate it. Most sign ups include some form of confirmation email, perhaps a password could be sent with it? Not appropriate for every app but registration with nothing more than email address is getting as stripped down as possible.
Yeah, use 1Password and let it generate a strong password and fill in the forms for you. Can't say it quite changed my life but it's been the most useful piece of software I've bought all year.
I can't tell you how many times I've tried logging into HN using the signup form (which, of course, doesn't ask for your password confirmation). The password confirmation, I think, has become a necessary input field to let users instantly recognize and know that they're signing up for an account. Qwerty keyboards, for example, aren't the most efficient way to type, but the layout has become so ingrained into our brains that we can't imagine any other way to type.
Edited to add: Context for why that number is so low: The vast majority of my trial users are up-or-out within 3 days, and since I default to setting a 2 week "remember me" cookie, typically only my most interested users ever have to type their password ever again.
By the way, you would be astonished how many users I have think they cannot type their school email address from their home computer and vice versa.